cbcvebase.
CVE-2022-40716
published 2022-09-23

CVE-2022-40716: HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint…

PriorityP336medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
0.83%
52.8th percentile
HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2."

Affected

7 ranges
VendorProductVersion rangeFixed in
debianconsul
github.comhashicorp_consul>= 0 < 1.11.91.11.9
github.comhashicorp_consul>= 1.12.0 < 1.12.51.12.5
github.comhashicorp_consul>= 1.13.0 < 1.13.21.13.2
hashicorpconsul< 1.11.91.11.9
hashicorpconsul>= 1.12.0 < 1.12.51.12.5
hashicorpconsul>= 1.13.0 < 1.13.21.13.2

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.